As part of the tests, this commit refactors the sp.go and
adds a test provider with the feature to serve a metadata xml.

Add tests for Config and ServiceProvider

Add tests for CreateAuthnRequest

Add options for CreateMetadata and ParseResponse

Generate xsd:id conform IDs

…84)

* Adds ability to provide IdP metadata as XML or individual parameters

* DefaultGenerateAuthRequestID to GenerateAuthRequestID

* improve error message for URL parsing config params

Add  tests for `AuthnRequestRedirect`

`DescriptorCommon.ValidUntil` is a `time.Time` struct so the `omitempty`
tag has no effect. This patch changes it to be a pointer so that it can
be properly omitted.

Also in CreateMetadata() we set both `ValidUntil` on the `EntityDescriptorSPSSO`
and the inner `SPSSODescriptor`. The spec says

	validUntil - Optional attribute indicates the expiration time of the
	metadata contained in the element and any contained elements.

so this is actually redundant.

NameIDFormat is

	Zero or more elements of type anyURI that enumerate the name identifier
	formats supported by this system entity acting in this role. See Section
	8.3 of [SAMLCore] for some possible values for this element.

Vault (and I think Boundary also) do not need it to be an email, the name
is used as an opaque string.

I suppose most public IdP will have an email for their user but private
ones may not have one and use an employee ID or a username instead.

I think it's best to keep the default configuration empty to be compatible
with such systems.

* chore (saml): add demo binary to .gitignore

* fix (saml): fix compilation and linter issues

* chore (saml): fix some typos

* fix (saml): code refactoring

Add Option to indent the XML Document

Fix validUntil attribute

Remove NameIDFormat default

Implement HTTP-POST binding endpoint for the test provider

* save progress

* Adds Response type definition using gosaml2 type

* Adds response test back

…nse() (#95)

* Add support for custom ACS URL in CreateAuthnRequest() and ParseResponse()

The URL can now be customized using `WithAssertionConsumerServiceURL()`
in both functions.

To validate the behavior I added a short test for `ServiceProvider.ParseResponse`.
It only checks the error to make sure `WithAssertionConsumerServiceURL()`
for now but can be extended in the future.

Also fix a docstring and gives the custom clock from `WithClock()` to the
internal parser.

* Fix code review

* Run the tests in CI

When can remove this before merging on master but it would be good to have the CI working on our branch

* Backport of 5283f33

SAML Library fixup

* fix (saml): address possible panic if clock.Clock is nil

* fix (saml): fix possible panic in WithAdditionalACSEndpoint(...)

changed  location url to be passed by value to eliminate possible
panic

* refactor (saml): add WithMetadataNameIDFormat(...)

Refactor WithAdditionalNameIDFormat(...) and WithNameIDFormats(...)
into one new option WithMetadataNameIDFormat(...)

* fix (saml): address possible panics in saml handlers

* tests (saml): minor code improvements

More SAML library fixes

* Add caching support to IDPMetadata()

Caching the metadata document will avoid an additional round-trip to the
IDP for every connection.

The Metadata for the OASIS Security Assertion Markup Language says
regarding caching:

	4.3 Post-Processing of Metadata
	The following sections describe the post-processing of metadata.

	4.3.1 Metadata Instance Caching
	[E94] Document caching MUST be based on the duration indicated by the cacheDuration attribute of
	the subject element(s). If metadata elements have parent elements which contain caching policies, the
	parent element takes precedence. To properly process the cacheDuration attribute, consumers must
	retain the date and time when an instance was obtained.

	Note that cache expiration does not imply a lack of validity in the absence of a validUntil attribute or
	other information; failure to update a cached instance (e.g., due to network failure) need not render
	metadata invalid, although implementations may offer such controls to deployers.
	When a document or element has expired, the consumer MUST retrieve a fresh copy, which may require
	a refresh of the document location(s). Consumers SHOULD process document cache processing
	according to [RFC2616] Section 13, and MAY request the Last-Modified date and time from the HTTP
	server. Publishers SHOULD ensure acceptable cache processing as described in [RFC2616] (Section
	10.3.5 304 Not Modified).

	4.3.2 [E94] Metadata Instance Validity
	Metadata MUST be considered invalid upon reaching the time specified in a validUntil attribute of the
	subject element(s). The effective expiration may be adjusted downward by parent element(s) with earlier
	expirations. Invalid metadata MUST NOT be used. This contrasts with "stale" metadata that may be
	beyond its optimum cache duration but is not explicitly invalid. Such metadata remains valid and MAY be
	used at the discretion of the implementation.

With this change the cached metadata is used until it expires. This behavior
can be disabled using WithCache().

Using a stale document when refreshing it fails is disabled by default
and users can opt-in using WithStale().

* Address code review comments

* Run go mod tidy

* Run go mod tidy

* Update saml/sp_test.go

Co-authored-by: Jim <[email protected]>

---------

Co-authored-by: Jim <[email protected]>

A small refactor and added more unit tests

…ibutes (#104)

* saml: adds helpers for response assertions, subject, and attributes

* fix up comment

* Restructure test, add coverage, add issuer helpers

Add SAML to README